Patterns for Application Firewalls Eduardo B. Fernandez Nelly A. Delessy Gassant.

Slides:



Advertisements
Similar presentations
MicroKernel Pattern Presented by Sahibzada Sami ud din Kashif Khurshid.
Advertisements

Tuesday, June 10, 2003 Web Services Brief Overview & Security Assertion Coordinator Pattern by Mohammad Abushadi & Riaz Ahmed for Security Group CSE -
Network Security Essentials Chapter 11
Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
FIREWALLS Chapter 11.
Security Firewall Firewall design principle. Firewall Characteristics.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
Network and Security Patterns
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies
Secure Systems Research Group - FAU Security patterns Eduardo B. Fernandez Dept. of Computer Science and Engineering Florida Atlantic University Boca Raton,
Access Controls Supervised by: Dr.Lo’ai Tawalbeh Prepared by: Abeer Saif.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
A Survey on Interfaces to Network Security
Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.
Introducing Kerio Control Unified Threat Management Solution Release date: June 1, 2010 Kerio Technologies, Inc.
A Brief Taxonomy of Firewalls
BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.
Intranet, Extranet, Firewall. Intranet and Extranet.
Network Security Essentials Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Brad Baker CS526 May 7 th, /7/ Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.
Firewalls Paper By: Vandana Bhardwaj. What this paper covers? Why you need a firewall? What is firewall? How does a network firewall interact with OSI.
Chapter 13 – Network Security
1 A pattern language for security models Eduardo B. Fernandez and Rouyi Pan Presented by Liping Cai 03/15/2006.
P RESENTED B Y - Subhomita Gupta Roll no: 10 T OPICS TO BE DISCUSS ARE : Introduction to Firewalls  History Working of Firewalls Needs Advantages and.
Case Study: DirXML Implementation at Waste Management Rick Wagner Systems Engineer Novell, Inc.
FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.
Safeguarding OECD Information Assets Frédéric CHALLAL Head, Systems Engineering Team OECD.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
Secure Systems Research Group - FAU SW Development methodology using patterns and model checking 8/13/2009 Maha B Abbey PhD Candidate.
McLean HIGHER COMPUTER NETWORKING Lesson 14 Firewalls & Filtering Comparison of Internet content filtering methods: firewalls, Internet filtering.
Module 7: Advanced Application and Web Filtering.
1 Network Firewalls CSCI Web Security Spring 2003 Presented By Yasir Zahur.
PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.
Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.
Secure Systems Research Group - FAU 1 A Trust Model for Web Services Ph.D Dissertation Progess Report Candidate: Nelly A. Delessy, Advisor: Dr E.B. Fernandez.
A Pattern Language for Firewalls Eduardo B. Fernandez, Maria M. Petrie, Naeem Seliya, Nelly Delessy, and Angela Herzberg.
Microsoft ISA Server 2000 Presented by Ricardo Diaz Ryan Fansa.
Security fundamentals Topic 10 Securing the network perimeter.
Security Patterns for Web Services 02/03/05 Nelly A. Delessy.
Network Security Major Problems Network Security Major Problems Why Firewall? Why Firewall? Problems with Firewalls Problems with Firewalls What is.
Remote Authenticator /Authorizer Instructor: 張顧耀 老師 Student: 曾冠樺.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY IT375 Window Enterprise Administration Course Name – IT Introduction to Network Security Instructor.
Some Great Open Source Intrusion Detection Systems (IDSs)
Polytechnic University Firewall and Trusted Systems Presented by, Lekshmi. V. S cos
Security fundamentals
CS457 Introduction to Information Security Systems
TMG Client Protection 6NPS – Session 7.
Top 5 Open Source Firewall Software for Linux User
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Network Security Analysis Name : Waleed Al-Rumaih ID :
WEB SERVICES From Chapter 19 of Distributed Systems Concepts and Design,4th Edition, By G. Coulouris, J. Dollimore and T. Kindberg Published by Addison.
Introduction to Networking
Firewalls.
Security in Networking
6.6 Firewalls Packet Filter (=filtering router)
Firewalls Types of Firewalls Inspection Methods Firewall Architecture
CORE Security Technologies
دیواره ی آتش.
How to Mitigate the Consequences What are the Countermeasures?
WEB SERVICES From Chapter 19, Distributed Systems
Presentation transcript:

Patterns for Application Firewalls Eduardo B. Fernandez Nelly A. Delessy Gassant

2 Agenda Introduction The Application Firewall Pattern The XML Firewall Pattern

3 Introduction Driven by business imperatives, organizations have to open up their systems to a wide variety of partners, customers or mobile employees. Web applications and web services made it possible to easily access their internal network from the outside, introducing new types of threats: –Increasing number of user categories  misuse more likely –Each application implements access control  Increased complexity  weakens security of the whole system

4 Introduction New types of threats: –New accesses realized by using or by tunneling into existing protocols (HTTP, SMTP, …)  evade access control to services performed by traditional firewalls –Payload of these messages can embed harmful data Common solution: to add an Application Firewall to the traditional line of defense defined by network-based firewalls. 2 patterns can be abstracted from current commercial offers: –the Application Firewall (general scheme) –The XML Firewall (firewall specialization)

5 The Application Firewall Pattern Intent –To filter calls and responses to/from user- defined applications, based on an institution access control policies. Aka –Content Firewall

6 The Application Firewall Pattern Context –User-defined applications executing in distributed systems accessed through a local network, from the Internet, or from external networks. –Specific security policies have been defined by the institution, expressed as authorization rules.

7 The Application Firewall Pattern Problem –User-defined applications in an organization’s internal network are accessed by a broad spectrum of users that may attempt to abuse its resources (leakage, modification or destruction of data). –These applications can be numerous, thus implementing access control independently for each of them may make the system more complex, and thus less secure. –Traditional network firewalls (application layer firewalls or packet filters), do not make it possible to define high level rules (role-based or individual-based rules) that could make the implementation of business security policies easier and simpler.

8 The Application Firewall Pattern Forces –There may be many users (subjects) that need to access an application in different ways; the firewall must adapt to this variety. –There are many ways to filter, we need to separate the filtering code from the application code. –There may be numerous applications, that may require different levels of security. –The business policies are constantly changing and are constantly updated; hence it should be easy to change the firewall configuration. –The number of users and applications may increase ; adding more users or applications should be done transparently and at low cost.

9 The Application Firewall Pattern Solution –A client can access a service of an application only if a specific policy authorizes it to do so. –Policies for each application are centralized within the Application Firewall, in a PolicyDefinitionPoint. – Each application is accessed by a client through a PolicyEnforcementPoint, that enforces the access control for the applications. –Enforcement includes authenticating the client through its identity data stored in the PolicyDefinitionPoint and looking for a mapping policy for the request.

10 The Application Firewall Pattern checkAccess 11 * * * communicatesThrough Application * Service serviceId executeService() Client id credentials PoliciesDefinitionPoint authenticate() grantAccess() log() definePolicy() defineUser() defineRole() removeUser() removeRole() PolicyBaseIdentityBase PoliciesEnforcementPoint interceptMessage() controlAccess(url, id, credentials) Identity id credentials roles Policy serviceId role predicate 1 accessService ** Application Firewall 1 * 11 * Role ** memberOf * Application Level Implementation Level requestService Message

11 The Application Firewall Pattern Dynamics: Filtering a Client’s Request :Client : Policies EnforcementPoint : Policies DefinitionPoint : IdentityBase: PolicyBase:Application interceptMessage() checkAccess(uri, id, credentials) requestService(uri, id, credentials) authenticate(id, credentials) userAuthenticated grantAccess(uri, roles) getRoles(id) roles accessGranted accessService log() :ApplicationF irewall requestService(uri, id, credentials) requestAccepted

12 The Application Firewall Pattern Dynamics: Adding a new Policy addPolicy(policy) : PolicyBase:ApplicationF irewall : Administrator checkDuplicate(policy) CheckDuplicate == True addPolicy(policy) PolicyAdded

13 The Application Firewall Pattern Consequences –Advantages The institution policies to control access are easily defined and administered, as the policies are centralized. This makes the whole system less complex, and thus more secure. This facilitates the detection of possible attacks. An Intrusion Detection System can be combined with this firewall. In turn, the IDS can help the firewall block suspicious requests. The firewall lends itself to a systematic logging of incoming and outgoing messages. As authentication of Clients is performed, it holds regular users responsible of their actions. New applications are easily integrated into the system by adding their specific policies. New clients can de accommodated by adding new policies to the policy base of an application.

14 The Application Firewall Pattern Consequences –Possible liabilities The application could affect the performance of the protected system as it is a bottleneck in the network. This can be improved by considering the firewall a virtual concept and using several firewalls for implementation. The solution is intrusive for existing applications that already implement their own access control. The application itself must be built in a secure way or normal access to commands could allow attacks through the requests. We still need the Operating System to be secure.

15 The Application Firewall Pattern Implementation 1.Define users. 2.Define policies for the institution and hold policy base (Use Case 2). 3.Add/Remove policies when needed

16 The Application Firewall Pattern Known Uses –Cerebit innerGuard –Netegrity SiteMinder –Reactivity XML Firewall –Vordel XML security server –Westbridge XML Message Server –Netegrity TransactionMinder

17 The Application Firewall Pattern Related Patterns –The Authorization pattern defines the security model for the Application Firewall. –The Role-Based Access Control pattern, a specialization of the authorization pattern, is applicable if the business policies are respectively defined in terms of roles and rights. –The Application Firewall pattern is a special case of the Single-Point of-Access.

18 The XML Firewall Pattern Intent –To filter XML messages to/from user-defined applications, based on the business access control policies and the content of the message. Context –User-defined applications executing in distributed systems accessed through a local network, from the Internet, or from external networks. –These applications communicate through XML messages and could be web services or applications using web services. –Specific security policies have been defined by the institution, expressed as authorization rules.

19 The XML Firewall Pattern Problem –Some user-defined applications use tunneling into authorized flows (HTTP, SMTP,…) to communicate with the outside. They use higher level protocols such as SOAP and communicate through XML documents. –The XML documents in these messages can contain harmful data and can be used to perform attacks against applications. –Network firewalls provide infrastructure security but become useless when these high level protocols and formats are used.

20 The XML Firewall Pattern Forces –Document formats are subject to change, some new ones may appear (XML dialects); the firewall must adapt easily to these changes. –New types of harmful data may be used by attackers, the firewall must adapt easily to these new types of attacks. –There are many ways to filter, we need to separate the filtering code from the application code. –There may be numerous applications, that may require different levels of security. –New applications may be integrated into the system after the firewall has been put into operation. This integration should not require additional costs.

21 The XML Firewall Pattern Solution –A client can access a service of an application only if a specific policy authorizes it to do so and if the content of the message sent is considered to be safe for the applications. –Policies for each application are centralized within the Application Firewall, in a PolicyDefinitionPoint. –Each application is accessed by a client through a PolicyEnforcementPoint, that enforces the access control for the applications, by: authenticating the client through its identity data stored in the PolicyDefinitionPoint looking for a mapping policy for the request checking the content of the message: Its structure is validated through a database of valid XML schemas, and the data it conveys is checked through a HarmfulDataDetector.

22 The XML Firewall Pattern * * * communicatesThrough Application * Service uri executeService() Client id credentials PolicyBaseIdentityBase Identity id credentials roles Policy serviceId role predicate 1 accessService ** 1 * 11 * Role ** memberOf * 1 PolicyEnforcementPoint interceptMessage() controlAccess(url, id, credentials) ContentInspector PolicyDefinitionPoint authenticate() grantAccess() log() definePolicy() defineUser() defineRole() removeUser() removeRole() SchemaDatabase addSchema() removeSchema() updateSchema() XMLSchema Validator HarmfulDataD etector 11 XMLMessage Application Level Implementation Level checkAccess 11 1 XML Firewall requestService

23 The XML Firewall Pattern Dynamics: Filtering a Client’s Request :Client : Policies EnforcementPoint : Policies DefinitionPoint :Application controlAccess requestService accessGranted accessService :XMLApplicat ionFirewall checkContent requestAccepted : Content Inspector : XMLSchema Validator : Harmful DataDetector validateSchema schemaValidated checkData dataChecked contentChecked checkAccess

24 The XML Firewall Pattern Consequences –Additional advantage Provides a higher level of security than the Application Firewall because it inspects the complete XML message (This only applies to XML messages). –Possible liabilities: The application could to affect the performance of the protected system as it is a bottleneck in the network, and as the XML content checking may create a large overhead. The solution is intrusive for existing applications that already implement their own access control.

25 The XML Firewall Pattern Known Uses –Reactivity’s XML Firewall –Vordel’s XML Security Server –Netegrity’s TransactionMinder

26 The XML Firewall Pattern Related Patterns –Application Firewall

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.